Attacks on GoDaddy sites –

UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.

Just a quick update to this blog post: More Attacks –

We posted a few days ago that attackers were using to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using

The following domains/IP addresses are being used to spread the attack:

All the sites we’ve seen so far have the following code added to all PHP files:


Which is basically just the eval(base64_decode encoded. What is interesting is that this site is hosted at, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related:

Clean Up Action

The following script should clean up any infected site:

Updated 10/31/10 14:25 Pacific.

If you don’t have SSH access, download this file to your desktop: GoDaddy Fix 10/31/10

Once you have the file downloaded, rename gdd-fix_php.txt to gdd-fix_php.php

Upload fix file to your site via FTP/sFTP, then open in your browser (Example:

This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.

For old exploits please check out our Simple Cleanup Solution

If you need help cleaning up your site, contact us at or at

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: Tweets that mention Attacks on GoDaddy sites – | Sucuri --

  • Rvtraveller

    This is ridiculous. What do we need to do to keep our sites free of malware? I already have a CRON set up to scan for this stuff every 30 minutes. Clearly Go Daddy has no idea what they are doing in terms of hosting…they are all too distracted making commercials.

    And to Todd from Go Daddy who I am sure is going to post here: Let’s avoid the BS about FTP passwords. What do I need to do, change my passwords hourly? I’m sure daily is often enough. Unless of course there is a vulnerability on your end letting hackers view everyone’s FTP password in which case it doesn’t matter how often I change it.

    In my opinion, the entire security department at Go Daddy should be fired because they clearly aren’t doing shit to protect the servers.

    • Ed Alexander

      Are you a security expert? Do you understand that limitations that a web host has as far as what level of security they can provide? Web hosts should provide the basic security measures then the rest falls on the website owner. I have tried web hosts that are too restrictive in the areas of security. Yep never got hacked – also had the slowest page load speed I have ever experienced and lost somewhere in the neighborhood of $300,000 in lost business because of that issue and several other issues because security was too restrictive. Hackers a nuisance nothing more. You should take website security measures for you website into your own hands. Create a very secure .htaccess file. Configure your php.ini or php5.ini files with max security. These 2 things alone should make your website impenetrable to most kiddie scripters and pros. If you’re looking for an .htaccess solution already made for you check out BulletProof Security. This is a plugin for WordPress, but the secure.htaccess file can be used for HTML websites as well. .htaccess is an Apache thing so as long as you are using Apache as you Server OS then you can use an .htaccess file to lock your website down from hackers.

      • Andres Armeda

        Information protection, not information prevention right? Agreed in that regard.I do disagree with your stance here though. Not everyone has the technical know-how to be a security expert, nor the ability to properly manage a full website for that matter. You’re lucky to know these things now, but at some point you didn’t. Take the case where you lost $300k, sorry to hear that btw, it made my cringe! It sounds like your IT leadership team didn’t fully understand what your architecture needs were, and the solution was poorly executed. But now you know, and probably will never have to worry about excessive monetary loss again.The fundamental issue here is companies like GoDaddy market to the masses, but don’t educate on the inherit security risks involved with hosting/managing a website. Does your grandmother know what an XSS attack is, or how to properly use an .htaccess file? Probably not, but she can make serious money online selling her awesome knitted blankets, and GoDaddy will surely sell her space at a considerably cheap cost per year.This isn’t the whole I’m selling cigarettes without letting the smoker know they’re going to die from cancer bit. Smokers already know they’re going to die from smoking, they understand the risk. In these cases, people don’t know their websites are going to be infected, or infect others. They truly don’t understand the rules of this playing field! In any event, you’re absolutely right, security should not stifle productivity, but neither should malware.To blame unknowing, non-tech people is not the answer, neither is letting hosting providers off the hook for mass selling and pushing off the inevitable onto the customer!Regards,Dre Armeda, CISSP

        • Ed

          Well you know you hit on an issue that is actually very important for people who do not have a whole lot of technical knowledge yet about website security and other technical website stuff. If you are new in the the whole game then spend the extra money and get dedicated hosting instead of shared hosting. I see this question all over the Internet everywhere I turn – who is the cheapest web host? Well if you are just talking about a personal site then yeah that is the right question for you to be asking If you are launching a serious business website that you pland on making money from and you are not experienced in the technical stuff then go straight to dedicated hosting and spend the few extra bucks. Dedicated hosting is automatically more secure. I love this analogy – shared web hosting is like you are living in a dorm and dedicated hosting is like you are renting a private house off campus. I should be using dedicated hosting instead of shared hosting because I know all the extra risks involved with shared hosting, but I guess I just like the extra challenge. LOL Of course I have security measures in place the limit the maximum amount of damage that can possibly occur and disaster recovery plans that will allow me to recover within minutes if my sites get hacked. Basically there is only one form of attack that I have not been able to completely block on shared hosting – the attack is the this particular SQL Injection that nailed GoDaddy. I keep adding more and more layers of security, but I believe nothing I can do will actually prevent this form of attack on shared hosting because well this might just be the nature of shared hosting itself. 😉 I have several new security measures in place so I’ll just have to see if they do the trick. I find it all kind of amusing. LOL

    • charles

      I think they should partner with Trend Micro.

    • Will

      One of my sites was attacked by this, and I found that the attack probably was not because my site was on a shared server, but because I had written some php code that was not exactly secure. I was attacked twice. I cleaned up the mess with the script provided in the post above, but it did not correct the vulnerability.

  • Rvtraveller

    And FYI, that WordPress-fix script is not removing the new code.

    • Sarina – Trinigourmet

      I had problems with it too… However it did work when I began to run it from each sub-directory (e.g. wp-content, etc.). However with the number of sites I host that was an unpractical approach so I just restored everything to yesterday’s backups (the attack happened at 1 p.m. today on my side)

    • Rvtraveller

      The following SSH code worked for me. Now just need to figure out why it isn’t working in a php file.

      $ find ./ -name “*.php” -type f | xargs sed -i ‘s###g’ 2>&1

      • Rvtraveller

        I think I meant to type this in my previous response:

        $ find ./ -name “*.php” -type f | xargs sed -i ‘s###g’ 2>&1

      • Rvtraveller

        Or, it could just be that the filter is getting rid of what I actually am trying to type. If people need the command, look here:

        • Andres Armeda

          We added a new script to the post that should fix the issue.



  • Andres Armeda

    We have updated our clean-up script and should work properly on the new cases. If you have any questions, feel free to leave it in the comments.


  • Guest

    A site which I admin had this problem today. Thank you for your earlier posts, it helped me to understand what was going on. I’d fixed it by the time this post went up.

    One thing in particular alarmed me: the earliest modified files were all in the GoDaddy /stats/ folder, created if you enable web statistics. Every file was changed, html and png as if there had been a bulk replace. What’s crazy is that as administrator I can’t modify or delete these files, only GoDaddy’s stats service can. You can’t even see the folder with File Manger, you have to ftp. So the files had to have been changed on the server end. The password in .statspwd had been modified from what I had in my local copy of the site. And that .statspwd was the most recently modified file, timestamped after I had begun my manual cleanup of everything else. Perhaps it was being modified repeatedly. I disabled Stats, and had GoDaddy replace all of the files in the folder with a backup. So far so good.

    When I called into GoDaddy, they denied having any knowledge of being attacked, and when I directed them to they said it was the first time they’d seen it. I asked if we could figure out when the site was compromised and how but they said I’d need a subpoena to find out!

    • Ed Alexander

      I was one of the first people to call this one in to GoDaddy and alert them of the attack. They were in scramble mode as the attack had just occurred about 20 minutes before my call and they were definitely aware of it. LOL This is typical Corporate PR stuff – standard SOP. You never admit to anything negative. Worked for some giant corporations and it’s just SOP – no biggee.They were putting together a new “cleaner” script at the time of my call as this is a somewhat original new hacking tactic. It bypassed my .htaccess SQL Injection filters as well. Very slick attack. So now I have added a new filter that blocks this form of attack and varitions of this hacking method.

      • wisdom teeth removal

        ed could possibly share with me your scripts to prevent this attack as unfortunately I was hit earlier today and did get it cleaned but I should have something more secure in place, thanks.

  • Buzzingup

    Thanks a lot guys, you saved me hours and hours of work.

  • Bryan

    Thanks for the cleanup. Godaddy got hacked this morning!

  • Guti

    thanks for sharing this script, however, I don’t know if it is only my case, but it leaves a white space in the line 1 and the last line as well. This is causing me headers issues.Is there a way to solve it? thanks!!

  • paditur

    We were attacked on the 31st. Godaddy could not do anything but confirm we were victimized. I had to restore files from backup in order to get back up and running. Once that was done we were unable to access our db (according to Godaddy we reached our 200 users connection). I told Godaddy that we’d be lucky if we had 14 users connecting and that those 200 they saw were phantoms. They could not disconnect those connections and we were down for hours. And now this morning we’re down again, this time we cannot access the site because our ‘activation key’ is incorrect for the php software running. Which is crazy since it’s been running since 2009 with no problems and as far as we know we were able to connect last night with no issues either, so something happened between 5pm yesterday and 9am today. I’m so done with these guys.

    • paditur

      Also, Godaddy could not determine what happened. Even though all php files now have the exact date and time, they are still telling me that nothing is wrong, it’s the software. I’ve contacted the developer to see what he can do, but the activation request page that I know get is a fake. I can tell because the install url is incorrect. Sheesh. I wish I knew what to do besides calling Godaddy.

  • Pingback: insomniaboldinfocom attack | McGelligot on the Spot()

  • Kevin

    Yep, me too. A leading linefeed which causes a “headers already sent” error on a lot of pages. It seems to leave a linefeed on every php file. It’s left my wordpress blogs in rather a mess.

  • AbhayaMedia H2O Magazine

    Our site went kapot yesterday. We had no clue what had hit our site. Somehow with some tweaking we could get back online. Somehow, we noticed the malware script at the end of all pages served by the web server. When we searched google, we found the patch as above to remove the malware. Thankfully, the script successfully removed all the references to the malware in our site. Thank you for sharing

  • Aneiee

    yes, agree. my websites (take note: with “s”) all hosted with
    i reported to them to clean it up. within 1-2 hours they told me is cleand up. once I checked, the malware is not removed yet. i sent another incident report to them, they said they investigated and found out my website is running old version of wordpress. fyi. mine is wordpress 3.0

    anyway, i give up with this so call Godaddy Advance Security Support team. I download this script and going to use cron to run it every hours

  • Scott

    You guys are great! I have been hacked twice in the past two days at midnight each time. Took me while to replace all the PHP files but have just run the fix file which was successful.

    Many thanks

  • Pingback: GoDaddy On The Run From PHP Attackers()

  • Marie Gendron

    Planet Mars Attacks on my GoDaddy websites !

    All my php files have been modified without my consent !
    The modifications occurred on (2010-11-08)
    Please help me 911 world !
    I noted the following internet sites that are connected to the malware :

    Here is an example of a modified php top file :

    I just find out your blog with your solution script (today November 10, 2010)
    I will first contact GoDaddy technical support to ask them what I could do to prevent this kind of problem.
    And after, I will try your script to clean the malware from these attacks !

    So long !
    And thank you a lot so far !

    Planet Mars Attacks !
    from Marie Gendron

  • Marie Gendron

    Where is the file (gdd-fix_php.txt) to rename to (gdd-fix_php.php) ?

  • Marie Gendron

    I just tried (
    It says (no malware)
    but I have !
    So what can I do to remove the malware ?

  • Pingback: Tweets that mention Attacks on GoDaddy sites – | Sucuri --

  • Chris DeLine

    Just wanted to say thanks a lot for putting this up here and making it available. Was a life-saver for me tonight.

  • anyOneListening

    Hmm, that’s strange- Is Go Daddy capitalizing on what could be viewed as their fault in the first place? Check out their new product line –

  • Pingback: Source Blogger: A Year End Rant You Won’t Want To Miss! I’m Naming Names!()

  • Pingback: It’s 2011! - Slovakia Blog()

  • prasanth kumar

    My sites hosted in godaddy are attacked several times, godaddy is not doing any thing to prevent this attack. I am planning to move all my sites to another hosting provider.

  • Pingback: Blackhat spam SEO: which sites get hijacked? |

  • Pingback: O site foi atacado. E agora? | - O site do Pedro Rebelo()

  • Johnny

    I can’t download the script?

Share This